1297142 - Assertion failure: callee_saved_value == get_register(r4), at js/src/jit/arm/Simulator-arm.cpp:4695 or Crash [@ js::gc::IsInsideNursery] with OOM

Status: RESOLVED DUPLICATE of bug 1293311

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision f97a056ae623 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-check-range-analysis):

var lfLogBuffer = `
//corefuzz-dcd-selectmode 4
function testcase() {
  testcase(TypedObject.objectType, 2147483731);
    eval('function foo() { var arguments, arguments = 42;}');
}
//corefuzz-dcd-endofdata
const libdir = "x";
//corefuzz-dcd-endofdata
//corefuzz-dcd-selectmode 2
function separator() {}
testcase()
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else if (line == "//corefuzz-dcd-endofdata") {
        loadFile(lfCodeBuffer);
        lfCodeBuffer = "";
    } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) {
        loadFile(line);
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
        if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) {
            lfRunTypeId = parseInt(lfVarx.split(" ")[1]);
        } else {
            switch (lfRunTypeId) {
                case 2: oomTest(new Function(lfVarx));
                case 4:
                    oomTest(function() {
                        let m = parseModule(lfVarx);
                    });
                    evaluate(lfVarx);
            }
        }
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0849d8ce in js::jit::Simulator::callInternal (this=0xf796d000, entry=0xf7be29c0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4695
#0  0x0849d8ce in js::jit::Simulator::callInternal (this=0xf796d000, entry=0xf7be29c0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4695
#1  0x0849da91 in js::jit::Simulator::call (this=<optimized out>, entry=0xf7be29c0 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345t\240\235", <incomplete sequence \345>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4774
#2  0x082838cd in EnterIon (data=..., cx=0xf7953000) at js/src/jit/Ion.cpp:2829
#3  js::jit::IonCannon (cx=0xf7953000, state=...) at js/src/jit/Ion.cpp:2926
#4  0x086b36fa in Interpret (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:2912
#5  0x086b3a0e in js::RunScript (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:399
#6  0x086b3cc3 in js::InternalCallOrConstruct (cx=0xf7953000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#7  0x086b3efd in InternalCall (cx=cx@entry=0xf7953000, args=...) at js/src/vm/Interpreter.cpp:498
#8  0x086b408b in js::Call (cx=0xf7953000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:517
#9  0x084cc0db in JS_CallFunction (cx=0xf7953000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2799
#10 0x08821114 in OOMTest (cx=0xf7953000, argc=1, vp=0xf40810b8) at js/src/builtin/TestingFunctions.cpp:1404
#11 0x086bb3fb in js::CallJSNative (cx=0xf7953000, native=0x8820e50 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#39 main (argc=6, argv=0xffffcd84, envp=0xffffcda0) at js/src/shell/js.cpp:7603
eax	0x0	0
ebx	0x8bedff4	146726900
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xf796d000	-141111296
edi	0xfffffffe	-2
ebp	0xffffad38	4294946104
esp	0xffffacb0	4294945968
eip	0x849d8ce <js::jit::Simulator::callInternal(unsigned char*)+1422>
=> 0x849d8ce <js::jit::Simulator::callInternal(unsigned char*)+1422>:	movl   $0x0,0x0
   0x849d8d8 <js::jit::Simulator::callInternal(unsigned char*)+1432>:	ud2    


I'm marking this s-s because I've seen a less reduced testcase crash with a GC signature. It could be a separate bug but until we have a fix for this one, it's hard to tell.

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Setting needinfo? from :jolesen our ARM guru here, how should we move this forward?

Comment 3

[Jakob Stoklund Olesen [:jolesen]]

The assertion would suggest that we're calling ARM code that doesn't preserve the callee-saved registers correctly, but of course it could also mean that everything has been messed up.

Ben, could this be related to the recent 64-bit changes?

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

I don't see any wasm on the stack or in the original script. This could be indeed related to regalloc changes causing this, but it seems strange.

Can we have a (manual) regression range here, please?

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/772713cbce54
user:        Jan de Mooij
date:        Sat Jun 11 15:01:49 2016 +0200
summary:     Bug 1272598 part 5 - Allocate arguments objects from Ion JIT code. r=luke

Jan, is bug 1272598 a likely regressor?

(Also, this seems to be an intermittent issue)

Comment 6

[Jan de Mooij [:jandem]]

I can reproduce this at an older revision, but not when I apply the patch for bug 1293311.